Hi Marco,

> Marco Cremonini, 24 janvier 2007 09:51
> The problem is: We would like to implement/adopt a high-level
> specification language for the definition of a security
> policy, something that should let to specify the policy at
> organizational level. Such a policy should then be
> translated into specific fw rules.

The problem is that the main part of a security policy is not technical but
organizationnal, and have to deal with human behavior!

Example: if your security policy tell that it is not allowed to surf non
professionnal website. You only need to check that there is no violation of this
rule (read web proxies log analysis). What you don't need is to use url
filtering system.

About the human part of the security policy:
1/ make people learn it and understand the whereabouts, [1]
2/ check if violations of the policy exist,
3/ have people explain why they don't respect the policy. [2]

Only the technical part of the policy have to be enforce by technical means
(example: designing DMZ to isolate IN and OUT networks).

[1] Yes... I know Marcus point of view: user education is one of the worst
security idea.
[2] User (and manager!) education is need, but is not enough. It's just a
beginning: telling users that doing that or that is bad is not enough, you have
to show them why, and spot them when they did bad things. User are like child
when you come to security: they have to be educated. The bad point is that users
are *adult*, and they don't want to be educated because they are convinced they
allready are!

firewall-wizards mailing list